sqreen 1.19.3-java → 1.20.0-java

data/lib/sqreen/legacy/waf_redactions.rb

@@ -0,0 +1,49 @@
+# typed: ignore
+
+# Copyright (c) 2015 Sqreen. All Rights Reserved.
+# Please refer to our terms for more information: https://www.sqreen.com/terms.html
+
+module Sqreen
+  module Legacy
+    module WafRedactions
+      class << self
+        def redact_attacks!(attacks, values)
+          return attacks if values.empty?
+
+          values = values.map { |v| v.downcase if v.is_a?(String) }
+
+          attacks.each do |e|
+            next(e) unless e[:infos]
+            next(e) unless e[:infos][:waf_data]
+
+            parsed = JSON.parse(e[:infos][:waf_data])
+            redacted = parsed.each do |w|
+              next unless (filters = w['filter'])
+
+              filters.each do |f|
+                next unless (v = f['resolved_value'])
+                next unless values.include?(v.downcase)
+
+                f['match_status'] = SensitiveDataRedactor::MASK
+                f['resolved_value'] = SensitiveDataRedactor::MASK
+              end
+            end
+            e[:infos][:waf_data] = JSON.dump(redacted)
+          end
+        end
+
+        # see https://github.com/sqreen/TechDoc/blob/master/content/specs/spec000022-waf-data-sanitization.md#changes-to-the-agents
+        def redact_exceptions!(exceptions, values)
+          return exceptions if values.empty?
+
+          exceptions.each do |e|
+            next(e) unless e[:infos]
+            next(e) unless e[:infos][:waf]
+
+            e[:infos][:waf].delete(:args)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/sqreen/metrics/base.rb

@@ -12,6 +12,9 @@ module Sqreen
     FINISH_KEY = 'finish'.freeze
     # Base interface for a metric
     class Base
+      attr_accessor :name, :period # for signals serialization
+      attr_accessor :rule # optional
+
       def initialize(_opts={})
         @sample = nil
       end

data/lib/sqreen/metrics_store.rb

@@ -3,6 +3,7 @@
 # Copyright (c) 2015 Sqreen. All Rights Reserved.
 # Please refer to our terms for more information: https://www.sqreen.com/terms.html
 
+require 'sqreen/aggregated_metric'
 require 'sqreen/metrics'
 require 'sqreen/mono_time'
 require 'sqreen/metrics_store/unknown_metric'
@@ -30,8 +31,9 @@ module Sqreen
 
     # Definition contains a name,period and aggregate at least
     # @param definition [Hash] a metric definition
+    # @param rule [RuleCB] the rule associated with this metric, if any
     # @param mklass [Object] Override metric object (used in testing)
-    def create_metric(definition, mklass = nil)
+    def create_metric(definition, rule = nil, mklass = nil)
       name = definition[NAME_KEY]
       kind = definition[KIND_KEY]
       klass = valid_metric(kind, name)
@@ -43,6 +45,9 @@ module Sqreen
         definition[PERIOD_KEY],
         nil # Start
       ]
+      metric.name = name
+      metric.rule = rule
+      metric.period = definition[PERIOD_KEY]
       metric
     end
 
@@ -50,7 +55,7 @@ module Sqreen
       @metrics.key?(name)
     end
 
-    # @params at [Time] when is the store emptied
+    # @param at [Time] when is the store emptied
     def update(name, at, key, value)
       metric, period, start = @metrics[name]
       raise UnregisteredMetric, "Unknown metric #{name}" unless metric
@@ -59,7 +64,7 @@ module Sqreen
     end
 
     # Drains every metrics and returns the store content
-    # @params at [Time] when is the store emptied
+    # @param at [Time] when is the store emptied
     def publish(flush = true, at = Sqreen.time)
       @metrics.each do |name, (_, period, start)|
         next_sample(name, at) if flush || !start.nil? && (start + period) < at
@@ -75,15 +80,20 @@ module Sqreen
       metric = @metrics[name][0]
       r = metric.next_sample(at)
       @metrics[name][2] = at # new start
-      if r
-        r[NAME_KEY] = name
-        obs = r[Metric::OBSERVATION_KEY]
-        start_of_mono = Time.now.utc - Sqreen.time
-        r[Metric::START_KEY] = start_of_mono + r[Metric::START_KEY]
-        r[Metric::FINISH_KEY] = start_of_mono + r[Metric::FINISH_KEY]
-        @store << r if obs && (!obs.respond_to?(:empty?) || !obs.empty?)
-      end
-      r
+      return unless r
+
+      r[NAME_KEY] = name
+      obs = r[Metric::OBSERVATION_KEY]
+      return unless obs && (!obs.respond_to?(:empty?) || !obs.empty?)
+      start_of_mono = Time.now.utc - Sqreen.time
+
+      agg = AggregatedMetric.new
+      agg.metric = metric
+      agg.rule = agg.metric.rule
+      agg.start = start_of_mono + r[Metric::START_KEY]
+      agg.finish = start_of_mono + r[Metric::FINISH_KEY]
+      agg.data = obs
+      @store << agg
     end
 
     def valid_metric(kind, name)

data/lib/sqreen/performance_notifications/binned_metrics.rb

@@ -122,10 +122,16 @@ module Sqreen
       attr_reader :metrics_store
       attr_reader :period
 
-      def ensure_metric(metric_name)
+      def ensure_metric(metric_name, rule = nil)
         return if metrics_store.metric?(metric_name)
         metrics_store.create_metric(
-          'name' => metric_name, 'period' => period, 'kind' => 'Binning', 'options' => @perf_metric_opts
+          {
+            'name' => metric_name,
+            'period' => period,
+            'kind' => 'Binning',
+            'options' => @perf_metric_opts,
+          },
+          rule
         )
       end
 

data/lib/sqreen/rules.rb

@@ -135,13 +135,15 @@ module Sqreen
         return nil
       end
 
+      rule_cb = cb_class.new(instr_class, instr_method, hash_rule)
+
       if metrics_store
         (hash_rule[Attrs::METRICS] || []).each do |metric|
-          metrics_store.create_metric(metric)
+          metrics_store.create_metric(metric, rule_cb)
         end
       end
 
-      cb_class.new(instr_class, instr_method, hash_rule)
+      rule_cb
     rescue => e
       rule_name = nil
       rulespack_id = nil

data/lib/sqreen/rules/rule_cb.rb

@@ -61,7 +61,9 @@ module Sqreen
           :infos => infos,
           :rulespack_id => rulespack_id,
           :rule_name => rule_name,
+          :attack_type => @rule['attack_type'], # for signal
           :test => test,
+          :block => @rule['block'], # for signal
           :time => at,
         }
         if payload_tpl.include?('context')

data/lib/sqreen/rules/waf_cb.rb

@@ -132,20 +132,23 @@ module Sqreen
       end
 
       def record_exception(exception, infos = {}, at = Time.now.utc)
-        infos.merge!(exception_to_infos(exception)) if exception.is_a?(Sqreen::WAFError)
+        infos.merge!(waf_infos(exception)) if exception.is_a?(Sqreen::WAFError)
         super(exception, infos, at)
       end
 
       private
 
-      def exception_to_infos(e)
+      # see https://github.com/sqreen/TechDoc/blob/master/content/specs/spec000016-waf-integration.md#error-management
+      def waf_infos(e)
         {
-          waf_rule: e.rule_name,
-          error_code: ERROR_CODES[e.error],
-        }.tap do |r|
-          r[:error_data] = e.data if e.data
-          r[:args] = e.args if e.args
-        end
+          waf:  {
+            waf_rule: e.rule_name,
+            error_code: ERROR_CODES[e.error],
+          }.tap do |r|
+            r[:error_data] = e.data if e.data
+            r[:args] = e.args if e.arg
+          end,
+        }
       end
 
       ERROR_CODES = {

data/lib/sqreen/runner.rb

@@ -23,6 +23,7 @@ require 'sqreen/performance_notifications/binned_metrics'
 require 'sqreen/legacy/instrumentation'
 require 'sqreen/call_countable'
 require 'sqreen/weave/legacy/instrumentation'
+require 'sqreen/kit/configuration'
 
 module Sqreen
   @features = {}
@@ -37,6 +38,8 @@ module Sqreen
   PERF_METRICS_PERIOD = 60 # 1 min
   DEFAULT_PERF_LEVEL = 0 # disabled
 
+  DEFAULT_USE_SIGNALS = false
+
   class << self
     attr_reader :features
     def update_features(features)
@@ -87,7 +90,9 @@ module Sqreen
 
     attr_accessor :heartbeat_delay
     attr_accessor :metrics_engine
+    # @return [Sqreen::Deliveries::Simple]
     attr_reader :deliverer
+    # @return [Sqreen::Session]
     attr_reader :session
     attr_reader :instrumenter
     attr_accessor :running
@@ -111,12 +116,17 @@ module Sqreen
       @token = @configuration.get(:token)
       @app_name = @configuration.get(:app_name)
       @url = @configuration.get(:url)
+      @proxy_url = @configuration.get(:proxy_url)
       Sqreen.update_whitelisted_paths([])
       Sqreen.update_whitelisted_ips({})
       Sqreen.update_performance_budget(nil)
       raise(Sqreen::Exception, 'no url found') unless @url
       raise(Sqreen::TokenNotFoundException, 'no token found') unless @token
 
+      Sqreen::Kit::Configuration.logger = Sqreen.log
+      Sqreen::Kit::Configuration.ingestion_url = @configuration.get(:ingestion_url)
+      Sqreen::Kit::Configuration.proxy_url = @configuration.get(:proxy_url)
+
       register_exit_cb if set_at_exit
 
       self.metrics_engine = MetricsStore.new
@@ -142,7 +152,7 @@ module Sqreen
           Sqreen.log.debug do
             "Override initial features with #{conf_features.inspect}"
           end
-          wanted_features = conf_features
+          wanted_features = wanted_features.merge(conf_features)
         rescue
           Sqreen.log.warn do
             "NOT using invalid inital features #{conf_initial_features}"
@@ -161,7 +171,7 @@ module Sqreen
     end
 
     def create_session(session_class)
-      @session = session_class.new(@url, @token, @app_name)
+      @session = session_class.new(@url, @token, @app_name, @proxy_url)
       session.login(@framework)
     end
 
@@ -170,8 +180,18 @@ module Sqreen
       @deliverer = new_deliverer
     end
 
-    def batch_events(batch_size, max_staleness = nil)
+    def batch_events(batch_size, max_staleness = nil, use_signals = false)
       size = batch_size.to_i
+
+      if size <= 1 && use_signals
+        Sqreen.log.warn do
+          "Using signals with no delivery batching is unsupported. " \
+          "Using instead batching with batch size = 30, max_staleness = 60"
+        end
+        size = 30
+        max_staleness = 60
+      end
+
       self.deliverer = if size < 1
                          Deliveries::Simple.new(session)
                        else
@@ -301,19 +321,37 @@ module Sqreen
     def do_heartbeat
       @last_heartbeat_request = Time.now
       @next_metrics.concat(metrics_engine.publish(false)) if metrics_engine
-      res = session.heartbeat(next_command_results, next_metrics)
+      metrics_in_hb = use_signals? ? nil : next_metrics
+
+      res = session.heartbeat(next_command_results, metrics_in_hb)
       next_command_results.clear
+
+      deliver_metrics_as_event if use_signals?
       next_metrics.clear
+
       process_commands(res['commands'])
     end
 
+    def deliver_metrics_as_event
+      # this is disastrous withe simple delivery strategy,
+      # as each aggregated metric would trigger an http request
+      # Sending of metrics is therefore not supported with simple delivery strategy
+      # TODO: Confirm that only batch is used in production
+      next_metrics.each { |x| deliverer.post_event(x) }
+    end
+
     def features(_context_infos = {})
       Sqreen.features
     end
 
+    def use_signals?
+      features.fetch('use_signals', DEFAULT_USE_SIGNALS)
+    end
+
     def features=(features)
       Sqreen.update_features(features)
       session.request_compression = features['request_compression'] if session
+      session.use_signals = use_signals?
       self.performance_metrics_period = features['performance_metrics_period']
 
       unless @configuration.get(:weave)
@@ -331,7 +369,7 @@ module Sqreen
       hd = features['heartbeat_delay'].to_i
       self.heartbeat_delay = hd if hd > 0
       return if features['batch_size'].nil?
-      batch_events(features['batch_size'], features['max_staleness'])
+      batch_events(features['batch_size'], features['max_staleness'], use_signals?)
     end
 
     def change_whitelisted_paths(paths, _context_infos = {})

data/lib/sqreen/sensitive_data_redactor.rb

@@ -61,7 +61,7 @@ module Sqreen
         obj.each do |k, v|
           ck = k.is_a?(String) ? k.downcase : k
           if @keys.include?(ck)
-            redacted << v
+            redacted += SensitiveDataRedactor.all_strings(v)
             v = MASK
           else
             v, r = redact(v)
@@ -74,39 +74,27 @@ module Sqreen
       [result, redacted]
     end
 
-    def redact_attacks!(attacks, values)
-      return attacks if values.empty?
-
-      values = values.map { |v| v.downcase if v.is_a?(String) }
-
-      attacks.each do |e|
-        next(e) unless e[:infos]
-        next(e) unless e[:infos][:waf_data]
-
-        parsed = JSON.parse(e[:infos][:waf_data])
-        redacted = parsed.each do |w|
-          next unless (filters = w['filter'])
-
-          filters.each do |f|
-            next unless (v = f['resolved_value'])
-            next unless values.include?(v.downcase)
+    class << self
+      def all_strings(v)
+        accum = []
+        all_strings_impl(v, accum)
+        accum
+      end
 
-            f['match_status'] = MASK
-            f['resolved_value'] = MASK
+      private
+
+      def all_strings_impl(obj, accum)
+        case obj
+        when String
+          accum << obj
+        when Array
+          obj.each { |el| all_strings_impl(el, accum) }
+        when Hash
+          obj.each do |k, v|
+            all_strings_impl(k, accum)
+            all_strings_impl(v, accum)
           end
         end
-        e[:infos][:waf_data] = JSON.dump(redacted)
-      end
-    end
-
-    def redact_exceptions!(exceptions, values)
-      return exceptions if values.empty?
-
-      exceptions.each do |e|
-        next(e) unless e[:infos]
-        next(e) unless e[:infos][:waf]
-
-        e[:infos][:waf].delete(:args)
       end
     end
   end

data/lib/sqreen/session.rb

@@ -11,6 +11,10 @@ require 'sqreen/events/attack'
 require 'sqreen/events/request_record'
 require 'sqreen/exception'
 require 'sqreen/safe_json'
+require 'sqreen/kit'
+require 'sqreen/kit/configuration'
+require 'sqreen/signals/signals_submission_strategy'
+require 'sqreen/legacy/old_event_submission_strategy'
 
 require 'net/https'
 require 'uri'
@@ -41,13 +45,12 @@ module Sqreen
     RETRY_MANY = 301
 
     MUTEX = Mutex.new
-    METRICS_KEY = 'metrics'.freeze
 
     @@path_prefix = '/sqreen/v0/'
 
     attr_accessor :request_compression
 
-    def initialize(server_url, token, app_name = nil)
+    def initialize(server_url, token, app_name = nil, proxy_url = nil)
       @token = token
       @app_name = app_name
       @session_id = nil
@@ -59,16 +62,35 @@ module Sqreen
       uri = parse_uri(server_url)
       use_ssl = (uri.scheme == 'https')
 
+      proxy_params = []
+      if proxy_url
+        proxy_uri = parse_uri(proxy_url)
+        proxy_params = [proxy_uri.host, proxy_uri.port, proxy_uri.user, proxy_uri.password]
+      end
+
       @req_nb = 0
 
-      @http = Net::HTTP.new(uri.host, uri.port)
+      @http = Net::HTTP.new(uri.host, uri.port, *proxy_params)
       @http.use_ssl = use_ssl
+      @http.verify_mode = OpenSSL::SSL::VERIFY_NONE if ENV['SQREEN_SSL_NO_VERIFY'] # for testing
       if use_ssl
         cert_file = File.join(File.dirname(__FILE__), 'ca.crt')
         cert_store = OpenSSL::X509::Store.new
         cert_store.add_file cert_file
         @http.cert_store = cert_store
       end
+      self.use_signals = false
+    end
+
+    def use_signals=(do_use)
+      return if do_use == @use_signals
+
+      @use_signals = do_use
+      if do_use
+        @evt_sub_strategy = Sqreen::Signals::SignalsSubmissionStrategy.new
+      else
+        @evt_sub_strategy = Sqreen::Legacy::OldEventSubmissionStrategy.new(method(:post))
+      end
     end
 
     def parse_uri(uri)
@@ -235,6 +257,8 @@ module Sqreen
       end
       Sqreen.log.info 'Login success.'
       @session_id = res['session_id']
+      Kit::Configuration.session_key = @session_id
+      Kit.reset
       Sqreen.log.debug { "received session_id #{@session_id}" }
       Sqreen.logged_in = true
       res
@@ -246,20 +270,24 @@ module Sqreen
 
     def heartbeat(cmd_res = {}, metrics = [])
       payload = {}
-      payload['metrics'] = metrics unless metrics.nil? || metrics.empty?
+      unless metrics.nil? || metrics.empty?
+        # never reached with signals
+        payload['metrics'] = metrics.map do |m|
+          Sqreen::Legacy::EventToHash.convert_agg_metric(m)
+        end
+      end
       payload['command_results'] = cmd_res unless cmd_res.nil? || cmd_res.empty?
 
       post('app-beat', payload.empty? ? nil : payload, {}, RETRY_MANY)
     end
 
     def post_metrics(metrics)
-      return if metrics.nil? || metrics.empty?
-      payload = { METRICS_KEY => metrics }
-      post(METRICS_KEY, payload, {}, RETRY_MANY)
+      @evt_sub_strategy.post_metrics(metrics)
     end
 
+    # XXX never called
     def post_attack(attack)
-      post('attack', attack.to_hash, {}, RETRY_MANY)
+      @evt_sub_strategy.post_attack(attack)
     end
 
     def post_bundle(bundle_sig, dependencies)
@@ -271,33 +299,17 @@ module Sqreen
     end
 
     def post_request_record(request_record)
-      post('request_record', request_record.to_hash, {}, RETRY_MANY)
+      @evt_sub_strategy.post_request_record(request_record)
     end
 
     # Post an exception to Sqreen for analysis
     # @param exception [RemoteException] Exception and context to be sent over
     def post_sqreen_exception(exception)
-      post('sqreen_exception', exception.to_hash, {}, 5)
-    rescue StandardError => e
-      Sqreen.log.warn(format('Could not post exception (network down? %s) %s',
-                             e.inspect,
-                             exception.to_hash.inspect))
-      nil
+      @evt_sub_strategy.post_sqreen_exception(exception)
     end
 
-    BATCH_KEY = 'batch'.freeze
-    EVENT_TYPE_KEY = 'event_type'.freeze
     def post_batch(events)
-      batch = events.map do |event|
-        h = event.to_hash
-        h[EVENT_TYPE_KEY] = event_kind(event)
-        h
-      end
-      Sqreen.log.debug do
-        tally = Hash[events.group_by(&:class).map{ |k,v| [k, v.count] }]
-        "Doing batch with the following tally of event types: #{tally}"
-      end
-      post(BATCH_KEY, { BATCH_KEY => batch }, {}, RETRY_MANY)
+      @evt_sub_strategy.post_batch(events)
     end
 
     # Perform agent logout
@@ -313,15 +325,5 @@ module Sqreen
       Sqreen.logged_in = false
       disconnect
     end
-
-    protected
-
-    def event_kind(event)
-      case event
-      when Sqreen::RemoteException then 'sqreen_exception'
-      when Sqreen::Attack then 'attack'
-      when Sqreen::RequestRecord then 'request_record'
-      end
-    end
   end
 end